GAO

advertisement
United States Government Accountability Office
GAO
Testimony
Before the Subcommittee on Oversight
and Investigations, Committee on Energy
and Commerce, House of Representatives
For Release on Delivery
Expected at 10:00 a.m. EDT
Thursday, September 25, 2008
NUCLEAR SECURITY
Los Alamos National
Laboratory Faces
Challenges In Sustaining
Physical and Cyber Security
Improvements
Statement of Gene Aloise, Director
Natural Resources and Environment
Nabajyoti Barkakati, Chief Technologist
Applied Research and Methodology
Gregory C. Wilshusen, Director
Information Security Issues
GAO-08-1180T
September 25, 2008
NUCLEAR SECURITY
Accountability Integrity Reliability
Highlights
Highlights of GAO-08-1180T, testimony
before the Subcommittee on Oversight
and Investigations, Committee on Energy
and Commerce, House of Representatives
Los Alamos National Laboratory Faces Challenges in
Sustaining Physical and Cyber Security
Improvements
Why GAO Did This Study
What GAO Found
Los Alamos National Laboratory
(LANL) is one of three National
Nuclear Security Administration
(NNSA) laboratories that designs
and develops nuclear weapons
for the U.S. stockpile. LANL
employees rely on sensitive and
classified information and assets
that are protected at different
levels, depending on the risks
posed if they were lost, stolen, or
otherwise compromised.
However, LANL has experienced
several significant security
breaches during the past decade.
Physical security at LANL is in a period of significant improvement, and LANL
is implementing over two dozen initiatives to better protect its classified
assets. However, while LANL’s current initiatives address many physical
security problems previously identified in external security evaluations, other
significant security problems have received insufficient attention. In addition,
the management approaches that LANL and NNSA intend to use to sustain
security improvements over the long term are in the early stages of
development or contain weaknesses. Furthermore, LANL’s ability to sustain
its improved physical security posture is unproven because (1) the laboratory
appears not to have done so after a significant security incident in 2004, with
another significant security breach in 2006, and (2) NNSA’s Los Alamos Site
Office—which is responsible for overseeing security at LANL—may not have
enough staff or the proper training to execute a fully effective security
oversight program. GAO’s report made recommendations to help further
improve physical security at LANL and ensure that these improvements are
sustained over the long term.
This testimony provides GAO’s
(1) views on physical security at
LANL, as discussed in Los
Alamos National Laboratory:
Long-Term Strategies Needed to
Improve Security and
Management Oversight, GAO-08694 (June 13, 2008); (2)
preliminary observations on
physical security at Lawrence
Livermore National Laboratory;
and (3) views on cyber security at
LANL as discussed in
Information Security: Actions
Needed to Better Protect Los
Alamos National Laboratory’s
Unclassified Computer Network,
GAO-08-1001 (Sept. 9, 2008). To
conduct this work, GAO analyzed
data, reviewed policies and
procedures, interviewed
laboratory officials, and
conducted site visits to the two
laboratories.
To view the full product, including the scope
and methodology, click on GAO-08-1180T.
For more information, contact Gene Aloise at
(202) 512-3841, or aloisee@gao.gov;
Gregory C. Wilshusen at (202) 512-6244 or
wilshuseng@gao.gov; and Nabajyoti
Barkakati at (202) 512-6412 or
barkakatin@gao.gov.
As a result of poor performance on an April 2008 physical security evaluation
conducted by the Department of Energy’s (DOE) Office of Independent
Oversight, GAO is reviewing physical security at Lawrence Livermore National
Laboratory (Livermore). GAO’s preliminary observations are that Livermore
appears to experience difficulties similar to LANL’s in sustaining security
performance. Furthermore, it appears that NNSA has not always provided
effective oversight of Livermore. Specifically, an NNSA security survey
conducted only 6 months prior to the April 2008 DOE evaluation gave
Livermore the highest possible rating on its security program’s performance.
These results differ markedly from those documented by DOE’s Office of
Independent Oversight.
LANL has implemented measures to enhance cyber security, but weaknesses
remain in protecting information on its unclassified network. This network
possesses sensitive information such as unclassified controlled nuclear
information, export control information, and personally identifiable
information about LANL employees. GAO found vulnerabilities in critical
areas, including (1) identifying and authenticating users, (2) encrypting
sensitive information, and (3) monitoring and auditing security policy
compliance. A key reason for these information security weaknesses is that
the laboratory has not fully implemented an information security program to
ensure that controls are effectively established and maintained. Furthermore,
deficiencies in LANL’s policies and procedures raise additional concern,
particularly with respect to foreign nationals’ accessing the network from the
laboratory and remotely. Finally, LANL cyber security officials told GAO that
funding to address some of their security concerns with the laboratory’s
unclassified network has been inadequate. However, NNSA officials asserted
that LANL had not adequately justified its requests for additional funds. GAO
made 52 recommendations to help strengthen LANL’s information security
program and controls over the unclassified network.
United States Government Accountability Office
Mr. Chairman and Members of the Subcommittee:
We are pleased to be here today to discuss physical and cyber security at
Los Alamos National Laboratory (LANL). LANL, located in Los Alamos,
New Mexico, has a multibillion dollar annual budget and is one of three
National Nuclear Security Administration (NNSA) laboratories responsible
for designing and developing a safe, secure, and reliable nuclear weapons
deterrent.1 In fiscal year 2007, LANL budgeted nearly $200 million to
provide the laboratory with physical and cyber security to protect the
sensitive and classified assets on which laboratory employees rely to
conduct their work. A successful physical or cyber attack on NNSA sites
containing nuclear weapons, the material used in nuclear weapons, or
information pertaining to the people who design and maintain the U.S.
nuclear deterrent could have devastating consequences for the site, its
surrounding communities, and the nation’s security. Because of these
risks, NNSA sites need effective physical and cyber security programs.
Over the last decade, LANL has experienced a series of high-profile
security incidents in which sensitive assets and classified information
were compromised. In October 2006, during a drug raid on a private
residence, it was discovered that a LANL contract employee had
transferred classified information to a USB “thumb drive” and removed the
thumb drive, as well as a large number of classified documents, from the
laboratory. The Department of Energy’s (DOE) Inspector General reported
that a serious breakdown in core laboratory physical and cyber security
controls contributed to the October 2006 thumb drive incident.2 More
recently, in April 2008, DOE’s Office of Independent Oversight conducted
an evaluation of security at Lawrence Livermore National Laboratory
(Livermore). The evaluation included a mock terrorist attack on a
sensitive laboratory facility and concluded that Livermore’s security
program had significant weaknesses, particularly with respect to the
performance of Livermore’s protective force and the physical protection of
classified resources.
1
The other design and development laboratories are Lawrence Livermore National
Laboratory in Livermore, California, and Sandia National Laboratories in Albuquerque, New
Mexico, and Livermore, California. NNSA is a separately organized agency within the
Department of Energy that is responsible for the management and security of the nation’s
nuclear weapons, nuclear nonproliferation, and naval reactors programs.
2
U.S. Department of Energy, Office of Inspector General Office of Audit Services, Special
Inquiry Report to the Secretary: Selected Controls Over Classified Information at the Los
Alamos National Laboratory, OAS-SR-07-01 (Washington, D.C., Nov. 2006).
Page 1
GAO-08-1180T Security at DOE National Laboratories
As a result of the October 2006 thumb drive incident and the congressional
hearings that followed, the Committee asked us to review physical and
cyber security at LANL. In addition, in June 2008, this Committee
requested that we review the status of physical security at Livermore. Our
testimony today discusses (1) physical security at LANL, (2) preliminary
observations from ongoing work on physical security at Livermore, and (3)
cyber security at LANL. This statement is primarily based on recently
issued reports on physical and cyber security at LANL.3 We conducted the
performance audit work that supports this statement in accordance with
generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient, appropriate
evidence to produce a reasonable basis for our findings and conclusions
based on our audit objectives. We believe that the evidence obtained
provides a reasonable basis for our statements today.
Summary
Physical security at LANL is in a period of significant improvement, and
LANL is implementing over two dozen initiatives to better protect its
classified assets. However, while LANL’s current initiatives address many
security problems previously identified in external evaluations, other
significant security problems have received insufficient attention. For
example, at the time of our review, LANL had not implemented complete
security solutions to address either the storage of classified nuclear
weapons parts in unapproved storage containers or weaknesses in its
process for ensuring that actions taken to correct security deficiencies are
completed. Furthermore, management approaches that LANL and NNSA
officials told us they would use to sustain security improvements over the
long term were in the early stages of development or contained
weaknesses. In addition, LANL’s ability to sustain its improved physical
security posture is unproven because (1) the laboratory appears not to
have done so after a significant security incident in 2004, and (2) NNSA’s
Los Alamos Site Office—which is responsible for overseeing physical
security at LANL on a daily basis—may not have enough staff or the
proper training for these staff to execute a fully effective security
oversight program. Our report on physical security at LANL made three
recommendations to the Secretary of Energy and the Administrator of
3
GAO, Los Alamos National Laboratory: Long-Term Strategies Needed to Improve
Security and Management Oversight, GAO-08-694 (Washington, D.C.: June 13, 2008) and
GAO, Information Security: Actions Needed to Better Protect Los Alamos National
Laboratory’s Unclassified Computer Network, GAO-08-1001 (Washington, D.C.: Sept. 9,
2008).
Page 2
GAO-08-1180T Security at DOE National Laboratories
NNSA concerning long-term strategic security planning and the use of
meaningful financial incentives for effective security performance. We
believe these recommendations, if effectively implemented, would help
further improve physical security at LANL and ensure that these
improvements are sustained over the long term.
Though our observations on physical security at Livermore are
preliminary, the laboratory appears to be experiencing difficulties similar
to LANL’s in sustaining physical security performance. In addition,
Livermore’s self-assessment and performance assurance programs appear
to need improvement. For example, Livermore and NNSA security officials
acknowledged that a lack of comprehensive performance assurance
testing was a significant contributing factor to the poor performance of
Livermore’s protective forces during their April 2008 exercise. Finally, it
appears that NNSA has not always provided effective security oversight of
Livermore. Specifically, a 2007 NNSA security survey gave Livermore the
highest possible rating on its security performance, differing markedly
from what DOE observed during its evaluation in April 2008, only 6
months later. DOE identified multiple areas for significant improvement,
and gave Livermore the lowest rating possible in two security performance
areas.
Our review of cyber security at LANL found that the laboratory has
implemented measures to enhance its information security, but
weaknesses remain in protecting the confidentiality, integrity, and
availability of information on its unclassified network.4 LANL’s
unclassified network contains sensitive information, such as unclassified
controlled nuclear information, export control information, and personally
identifiable information about laboratory employees. LANL has
implemented a network security system that is capable of detecting
potential intrusions; however, we found vulnerabilities in several critical
areas, including identifying and authenticating users; encrypting sensitive
information; and monitoring and auditing compliance with security
policies. For example, LANL has implemented strong authentication
measures for accessing its unclassified network, but once access is
initially gained, a user can work around the authentication measures to
access certain sensitive information. A key reason for LANL’s information
security weaknesses is that the laboratory has not fully implemented an
4
We are currently reviewing information security controls over LANL’s classified network
for this Committee.
Page 3
GAO-08-1180T Security at DOE National Laboratories
information security program to ensure that controls are effectively
established and maintained. For example, LANL’s most recent risk
assessment for its unclassified network generally identified and analyzed
vulnerabilities, but did not account for risks identified by the laboratory’s
own internal vulnerability testing. Furthermore, we and other external
security evaluators have reported concerns about LANL’s policies for
granting foreign nationals—particularly those from countries classified as
“sensitive” by DOE—access to the unclassified network. Finally, LANL
cyber security officials told us that funding to address some of their
security concerns with respect to the laboratory’s unclassified network
has been inadequate. NNSA officials told us LANL has not adequately
justified its request for additional funds, and NNSA is developing a process
for developing cyber security budgets more systematically. We made 52
recommendations to the Secretary of Energy and the Administrator of
NNSA that, if effectively implemented, would improve LANL’s information
security program and controls over its unclassified network. These
recommendations address, among other things, ensuring that LANL’s risk
assessment for its unclassified network evaluates all known vulnerabilities
and is revised periodically, and strengthening policies with a view toward
further reducing, as appropriate, foreign nationals’ access to the
unclassified network.
Background
A basic management objective for any organization is to protect the
resources that support its critical operations from unauthorized access,
use, destruction, or disruption. Organizations accomplish this objective by
designing and implementing controls that are intended to, among other
things, prevent, limit, and detect unauthorized access to computing
resources, programs, information, and facilities. At LANL, these assets
include Category I special nuclear material, such as plutonium and highly
enriched uranium;5 thousands of classified nuclear weapons parts and
components; millions of classified documents; thousands of pieces of
classified removable electronic media that contain nuclear weapon design
information;6 over 100 vaults and vault-type rooms that store classified
assets; and computer networks and the hardware on which these
5
Special nuclear material is considered to be Category I when it is weapons-grade, such as
plutonium and highly enriched uranium, and occurs in specified forms and quantities.
6
Some classified documents and pieces of removable electronic media, such as CDs and
thumb drives, pose a security risk that requires maintenance of an accountability system to
prevent unauthorized access or removal.
Page 4
GAO-08-1180T Security at DOE National Laboratories
networks run that protect classified information as well as sensitive
unclassified information.
LANL is subject to a series of DOE security orders that outline
requirements for implementing effective physical and cyber security
protection strategies. These orders include an assessment of the potential
size and capabilities of terrorist forces that could physically attack a
laboratory and against which a laboratory must be prepared to defend.
The orders further describe different levels of physical protection for
sensitive and classified assets, depending on the risk they would pose if
they were lost, stolen, or otherwise compromised. Appropriate physical
protection safeguards include locks and keys, fences, means to detect
unauthorized entry, perimeter alarms, vehicle barriers, and armed guards.
In addition, the Congress enacted the Federal Information Security
Management Act (FISMA) in December 2002 to strengthen the security of
information and information systems across the federal government.7
FISMA requires each agency to develop, document, and implement an
agencywide information security program that supports the operations
and assets of the agency, including those provided or managed by another
agency or contractor on its behalf. Examples of appropriate information
security controls include user identification and authentication that allow
computer systems to differentiate between users and verify their
identities; cryptography that ensures the confidentiality and integrity of
critical and sensitive information; configuration management that
identifies and manages security features for all hardware, software, and
firmware components of an information system and controls changes to
them; and audit and monitoring controls that help establish individual
accountability and monitor compliance with security policies.
LANL is managed and operated by a corporate entity, Los Alamos National
Security LLC (LANS).8 NNSA’s Los Alamos Site Office serves as the
primary federal overseer of laboratory security performance. Annually, the
Site Office determines how much money LANS will earn for its
7
FISMA was enacted as title III, E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat.
2946 (Dec. 17, 2002).
8
LANS has been the management and operating contractor of LANL since June 2006. LANS
is made up of the University of California, Bechtel National, Washington Group
International, and BWX Technologies (which now operates under the name The Babcock &
Wilcox Company).
Page 5
GAO-08-1180T Security at DOE National Laboratories
management of the laboratory according to a maximum available
performance-based fee established in the laboratory’s contract. The Site
Office bases its determination on the laboratory’s success in meeting the
goals laid out in performance evaluation plans. These plans allocate
portions of the maximum available performance award fee to NNSA
performance objectives, including measures related to both physical and
cyber security.
In addition, two DOE organizations are required to periodically review
physical and cyber security at LANL. NNSA’s Los Alamos Site Office is
required to conduct security surveys annually. These surveys are based on
observations of performance, including compliance with DOE and NNSA
security directives. In fiscal year 2008, the results of this survey are
directly tied to NNSA’s performance evaluation plan, and are therefore a
factor in LANS’ ability to earn the maximum available performance award
fee. DOE’s Office of Independent Oversight also conducts evaluations,
typically every 18 months for facilities that store Category I special nuclear
material. These evaluations identify weaknesses in the laboratories’
security programs and produce findings that laboratory officials must take
action to correct. The reviews overlap substantially, but each is required to
provide a comprehensive assessment of the laboratory’s security
programs.
Page 6
GAO-08-1180T Security at DOE National Laboratories
While Physical
Security at Los
Alamos National
Laboratory Has
Improved,
Management
Approaches to
Sustain Security
Improvements Are in
the Early Stages of
Development or
Contain Weaknesses
Physical security at LANL is in a period of significant improvement, and
LANL is implementing over two dozen initiatives to reduce, consolidate,
and better protect its classified assets, as well as reduce the physical
footprint of the laboratory by closing unneeded facilities. LANL officials
believe that these initiatives will reduce the risk of incidents that can
result in the loss of control over classified assets. For example, to reduce
and consolidate classified assets and its physical footprint, as of March
2008, LANL had (1) reduced from nine to one the number of areas
containing Category I special nuclear material; (2) reduced the amount of
accountable classified removable electronic media from 87,000 pieces to
about 4,300 and made information previously accessible on removable
media available only through the laboratory’s classified computer
network; (3) eliminated about 30,000 classified nuclear weapon parts; and
(4) reduced the number of vault-type rooms from 142 to 111. In addition,
during fiscal year 2007, LANL reduced the physical footprint of existing
facilities by over 500,000 square feet. In concert with these actions, LANL
is implementing a series of engineered and administrative controls to
better protect and control classified assets, 9 such as removing the
functions from classified computers that enable them to create new pieces
of removable electronic media and streamlining physical security
procedures to make them easier to implement across the laboratory.
We found that DOE’s Office of Independent Oversight and the Los Alamos
Site Office identified significant physical security problems at LANL that
the laboratory had not fully addressed. Specifically, while LANL’s storage
of classified parts in unapproved storage containers and its process for
ensuring that actions to correct identified security deficiencies have been
cited in external security evaluations for years, complete security
solutions in these areas had not yet been implemented at the time of our
review. In addition, external security evaluations had repeatedly identified
concerns about the adequacy of LANL’s assessments of its own security
performance. The security self-assessment program provides LANL with
the opportunity to self-identify security deficiencies and address them
before they can be exploited. External security evaluations found that
LANL’s self-assessments were not comprehensive and did not include
discussions of all internal findings. These evaluations also noted that
findings identified through self-assessments were not always analyzed and
9
Engineered controls are system-based controls that manage work processes and prevent
employees from taking inappropriate action. Administrative controls are typically policies
or procedures that govern the handling of classified resources.
Page 7
GAO-08-1180T Security at DOE National Laboratories
addressed through corrective actions. At the time of our review, Los
Alamos Site Office and DOE Office of Independent Oversight officials
noted that LANL’s self-assessment program was improving.
LANL officials identified three management approaches that they asserted
would sustain security improvements over the long term. However, these
approaches were either in an early stage of development or contained
important weaknesses that may impair their ability to ensure the
sustainability of security improvements at the laboratory for the
foreseeable future. First, LANL officials identified completing the
management actions required by the Secretary of Energy’s Compliance
Order issued as a result of the October 2006 thumb drive incident as an
approach to ensure that security improvements are sustained, yet the
Compliance Order itself does not provide a mechanism to sustain security
improvements over the long-term.10 Second, LANL officials told us they
will track the implementation of longer-term actions, including those
required by the Compliance Order, by developing and implementing the
Contractor Assurance System required under the LANS contract.11
However, the extent to which LANL can rely on the Contractor Assurance
System to ensure the long-term sustainability of security improvements is
unclear. According to a Los Alamos Site Office official, the Contractor
Assurance System will not be fully completed for 3 to 4 years and, thus,
will not be fully implemented by the time actions under the Compliance
Order are completed. Finally, according to LANL officials, the laboratory
plans to realize security improvements by meeting the security-related
performance incentives in the annual performance evaluation plans NNSA
uses to measure performance and determine an award fee for LANS.
However, the annual performance evaluation plans focus principally on
10
The Secretary of Energy has authority under 10 C.F.R. § 824.4(b) of DOE’s Procedural
Rules for the Assessment of Civil Penalties for Classified Information Security
Violations to issue compliance orders that direct management and operating contractors
to take specific corrective actions to remediate deficiencies that contributed to security
violations. On July 12, 2007, the Secretary of Energy issued a compliance order to LANS as
a result of the security incident discovered in October 2006. The Compliance Order directs
LANS to take comprehensive steps to ensure that it identifies and addresses critical
classified information and cyber security deficiencies at LANL. Violation of the Compliance
Order would subject LANS to civil penalties of up to $100,000 per violation per day until
compliance is reached.
11
The Contractor Assurance System is intended to be a tool to increase accountability and
improve laboratory management and performance. According to a LANL official, the
Contractor Assurance System is an integrated performance-based management system that
is available as a tool for federal oversight.
Page 8
GAO-08-1180T Security at DOE National Laboratories
compliance with DOE requirements and do not sufficiently reward
security program improvement. In that regard, according to a senior NNSA
security official, compliance with current DOE requirements does not
assure that LANL’s security program is functioning effectively. Indeed, we
found that all but $30,000 of the total $1.43 million fiscal year 2008
performance fee allocated to physical security was associated with LANL’s
achievement of compliance-oriented milestones, such as issuing plans,
publishing policies, and completing equipment maintenance requirements.
The management attention dedicated to improving physical security
following the October 2006 thumb drive incident mirrors the level of
attention that followed LANL’s 2004 shutdown, when over 3,400 safety and
security deficiencies were identified for correction. This shutdown lasted
up to 10 months for some laboratory activities and cost as much as $370
million.12 Given how quickly LANL’s security performance declined
between the full resumption of laboratory activities in May 2005 and the
discovery of the thumb drive on private property, LANL’s ability to sustain
the improved security posture it has recently achieved is unproven. Strong
federal oversight will help ensure that these improvements are sustained.
However, we reported that the Los Alamos Site Office suffers from a
shortage of security personnel and lacks funding needed for training.
Specifically, as of October 2007, the Los Alamos Site Office employed 13
security staff—enough for 1 person to oversee each of the topical areas
the Site Office had to evaluate. This staffing level, officials said, was
sufficient to cover only 15 percent of LANL’s facilities. In April 2008, a
senior security official at the Site Office said security staffing levels had
decreased since October 2007. Furthermore, while NNSA had identified
the need to train and certify Site Office security personnel in specific
subject matters, according to Site Office officials no specific training funds
had been made available.
We made three recommendations to the Secretary of Energy and the
Administrator of NNSA that, if effectively implemented, will improve
physical security at LANL and help ensure that improvements LANL has
achieved are sustained over the long term. Specifically, we recommended
that LANL be required to develop a comprehensive strategic plan for
laboratory security that addresses all previously identified security
12
GAO, Stand-Down of Los Alamos National Laboratory: Total Costs Uncertain; Almost
All Mission-Critical Programs Were Affected but Have Recovered, GAO-06-83
(Washington, D.C.: Nov. 18, 2005).
Page 9
GAO-08-1180T Security at DOE National Laboratories
weaknesses and focuses on improving security program effectiveness.
Furthermore, we recommended that NNSA provide meaningful financial
incentives in future performance evaluation plans for implementation of
this comprehensive strategic plan for laboratory security.
In June 2008, the Committee requested that we review the security status
at Livermore. This request came as a result of an evaluation by DOE’s
Office of Independent Oversight in April 2008, in which Livermore
received the lowest possible ratings for protective force performance and
for physical protection of classified resources. The evaluation also
identified issues in other areas, such as security sensors and alarms, and
security program management. We are currently verifying the findings of
the evaluation and Livermore’s actions to correct security deficiencies.
Specifically:
Preliminary
Observations on
Physical Security at
Lawrence Livermore
National Laboratory
•
Self-assessment and performance assurance testing programs at
Livermore need improvement. DOE’s Office of Independent Oversight
evaluations and Livermore Site Office security surveys found
shortcomings in Livermore’s fiscal year 1999, 2000, 2002, and 2008 selfassessment programs. In addition, Livermore and NNSA security officials
acknowledged that a lack of comprehensive performance assurance
testing was a significant contributing factor to the poor performance of
Livermore protective forces during their April 2008 exercise. Between
December 2006 and April 2008, Livermore did not hold an integrated
performance assurance test of its protective forces or operationally test
equipment key to the laboratory’s protective strategy. During our visit to
the laboratory 2 weeks ago, Livermore officials told us they are finalizing
corrective action plans to address deficiencies in their performance
assurance and self-assessment programs and have already conducted a
significant number of performance assurance tests with the protective
force and on equipment since the completion of the Office of Independent
Oversight’s 2008 evaluation.
•
NNSA and the Livermore Site Office have not always provided effective
security oversight. Six months before the Office of Independent
Oversight’s 2008 evaluation, the 2007 Livermore Site Office’s annual
security survey gave the laboratory a 100-percent satisfactory rating on its
security performance, the highest possible rating. The results of the Office
of Independent Oversight inspection not only differed markedly, but also
found that the Livermore Site Office survey was not comprehensive and
the ratings provided did not reflect what was actually observed. The
Livermore Site Office is currently in the process of fundamentally
Page 10
GAO-08-1180T Security at DOE National Laboratories
rebuilding and restructuring its survey program and has embarked on a
training program for its security personnel.
Though our observations are preliminary, Livermore appears to be
experiencing difficulties similar to LANL’s in sustaining physical security
performance. For example, in 1999, DOE’s Office of Independent
Oversight identified significant weaknesses in Livermore’s programs to
secure the laboratory’s Category I special nuclear material facility against
a potential terrorist attack. Livermore then embarked on a major program
to improve security and, according to the Office of Independent Oversight,
addressed most issues by 2002. This improved level of security
performance appears to have been sustained through 2006. Between
December 2006—when Livermore’s protective force performed well in an
exercise—and April 2008, security performance at Livermore declined. In
response to the negative results of the 2008 Office of Independent
Oversight evaluation, Livermore appears to be refocusing management
attention on security performance.
While our work is preliminary, we believe the actions taken by Livermore,
the Livermore Site Office, and NNSA, if and when fully implemented, will
address identified physical security issues. However, just as at LANL,
sustaining attention on physical security performance will continue to be a
challenge.
Los Alamos National
Laboratory Has
Implemented
Measures to Enhance
Cyber Security on Its
Unclassified Network,
but Weaknesses
Remain
LANL has implemented measures to enhance its cyber security, but
weaknesses remain in protecting the confidentiality, integrity, and
availability of information on its unclassified network. In particular, LANL
has implemented a network security system that is capable of detecting
potential intrusions on the network. However, LANL has vulnerabilities in
several critical areas, including (1) identifying and authenticating users of
the network, (2) encrypting sensitive information, (3) monitoring and
auditing compliance with security policies, (4) controlling and
documenting changes to a computer system’s hardware and software, and
(5) restricting physical access to computing resources. For example,
although LANL had implemented strong authentication measures for
accessing the network, these measures were not always used. Once a user
successfully accessed the network, the user could create a separate,
simple password that would allow alternative access to certain sensitive
information. Furthermore, LANL neither conducted comprehensive
vulnerability scans of the unclassified network nor included sensitive
applications in these scans, thus leaving the network at increased risk of
compromise or disruption. In addition to these weaknesses, LANL’s
Page 11
GAO-08-1180T Security at DOE National Laboratories
computing facilities had physical security weaknesses and could be
vulnerable to intentional disruption. Specifically, we observed lax
restriction of vehicular traffic entering the laboratory and inadequate
fencing.
A key reason for the information security weaknesses we identified is that
LANL has not yet fully implemented an information security program to
ensure that controls are effectively established and maintained. Although
LANL has implemented a security awareness training program, we
identified a number of shortcomings in its overall information security
management program. For example, (1) its risk assessment was not
comprehensive, (2) specific guidance was missing from policies and
procedures, (3) the network security plan was incomplete, (4) system
testing had shortcomings, (5) remedial action plans were incomplete and
corrective actions were not always timely, and (6) the network
contingency plan was incomplete and inadequately tested. Until LANL
ensures that the information security program associated with its
unclassified network is fully implemented, it will have limited assurance
that sensitive data are adequately protected against unauthorized
disclosure or modification or that network services will not be interrupted.
Many of LANL’s cyber security deficiencies have been the subject of prior
evaluations conducted by DOE’s Office of Independent Oversight and the
Los Alamos Site Office. The most recent reports, covering fiscal years 2006
and 2007, documented significant weaknesses with LANL’s unclassified
information security program, including foreign nationals’ access to the
laboratory’s unclassified network. As of May 2008, LANL had granted
unclassified network access to 688 foreign nationals, including about 300
from countries identified as sensitive by DOE, such as China, India, and
Russia.13 In addition, foreign nationals from sensitive countries have been
authorized remote access to LANL’s unclassified network. The number of
foreign nationals who have access to the unclassified network has raised
security concerns among some laboratory and NNSA officials because of
the sensitive information contained on the network. According to LANL,
the percentage of foreign nationals with authorized remote access to the
unclassified network has steadily declined over the last 5 years.
13
DOE identifies countries as sensitive based on national security, nuclear nonproliferation,
or terrorism concerns.
Page 12
GAO-08-1180T Security at DOE National Laboratories
NNSA and LANL have not agreed on the level of funding necessary for
protecting the unclassified network. From fiscal years 2001 through 2007,
LANL spent $51.4 million to protect and maintain its unclassified network.
Although LANL cyber security officials told us that funding has been
inadequate to address some of their security concerns, NNSA officials
raised questions about the basis for LANL’s funding request for cyber
security. NNSA’s Chief Information Officer told us that LANL has not
adequately justified requests for additional funds to address the
laboratory’s stated shortfalls. In addition, NNSA officials informed us that
LANL’s past budget requests were prepared on an ad hoc basis and were
not based on well-defined threat and risk assessments. In response to
these concerns, in fiscal year 2006, NNSA implemented a more systematic
approach to developing cyber security budgets across the nuclear
weapons complex, including LANL. This effort, however, does not provide
guidance that clearly lays out funding priorities. Furthermore, NNSA does
not consistently document resource allocation decisions and identify how
funding shortfalls affect critical cyber security issues.
To help strengthen information security controls over LANL’s unclassified
network, we made a series of recommendations to the Secretary of Energy
and the Administrator of NNSA, 11 of which focus on improving LANL’s
information security program and determining resource requirements for
the unclassified network. For example, we recommended that the
Secretary of Energy and the NNSA Administrator require the Director of
LANL to, among other things, (1) ensure that the risk assessment for the
unclassified network evaluates all known vulnerabilities and is revised
periodically and (2) strengthen policies with a view toward further
reducing, as appropriate, foreign nationals’ access to the unclassified
network, particularly those from countries identified as sensitive by DOE.
We made an additional 41 recommendations in a separate report with
limited distribution. These recommendations consist of actions to be taken
to correct the specific information security weaknesses related to
identification and authentication, cryptography, audit and monitoring,
configuration management, and physical security that we identified.
Mr. Chairman, this concludes our prepared statement. We would be happy
to respond to any questions that you or Members of the Subcommittee
may have at this time.
Page 13
GAO-08-1180T Security at DOE National Laboratories
GAO Contacts and
Staff
Acknowledgements
For further information on this testimony, please contact Gene Aloise at
(202) 512-3481 or aloisee@gao.gov; Nabajyoti Barkakati at (202) 512-6412
or barkakatin@gao.gov; and Gregory C. Wilshusen at (202) 512-6244 or
wilshuseng@gao.gov. Jonathan Gill, Ed Glagola, Jeff Knott, and Glen Levis,
Assistant Directors; Allison Bawden; Preston Heard; Tom Twambly; Ray
Rodriguez; John Cooney; Carol Herrnstadt Shulman; and Omari Norman
made key contributions to this testimony.
Contact points for our Offices of Congressional Relations and Public
Affairs may be found on the last page of this statement.
(361011)
Page 14
GAO-08-1180T Security at DOE National Laboratories
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
GAO’s Mission
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO’s
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of
GAO Reports and
Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO’s Web site (www.gao.gov). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go
to www.gao.gov and select “E-mail Updates.”
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2 each.
A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent. Orders
should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, DC 20548
To order by Phone: Voice:
TDD:
Fax:
(202) 512-6000
(202) 512-2537
(202) 512-6061
To Report Fraud,
Waste, and Abuse in
Federal Programs
Contact:
Congressional
Relations
Ralph Dawn, Managing Director, dawnr@gao.gov, (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548
Public Affairs
Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470
PRINTED ON
RECYCLED PAPER
Download